From 406c84511eaa281c1d488719115b2b0428ce06f9 Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Fri, 5 Dec 2025 14:58:54 -0500
Subject: [PATCH 1/2] Remove crossorigin from preload hints for same-origin
 vendor assets

Vendor assets are served from /vendor/... (same origin), so crossorigin
attribute on preload hints causes a credentials mode mismatch. The browser
preloads with anonymous credentials but requests without, resulting in
cache misses and double fetching.
---
 _headers          | 8 ++++----
 assets/js/boot.js | 4 ++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/_headers b/_headers
index e771b17c..d6f2613f 100644
--- a/_headers
+++ b/_headers
@@ -92,7 +92,7 @@ Add resource hints for site-wide css.
 Add resource hints for site-wide vendor css.
 {% endcomment %}
 {% for res in site.vendor.css %}
-  {% capture hint %}<{{ res.href }}>; rel=preload; as=style; pr=1.0; crossorigin{% endcapture %}
+  {% capture hint %}<{{ res.href }}>; rel=preload; as=style; pr=1.0{% endcapture %}
   {% assign all = all | push:hint %}
 {% endfor %}
 
@@ -103,7 +103,7 @@ Add resource hints for site-wide font faces.
   {% for style in family[1] %}
     {% for href in style[1] %}
       {% if href contains '.woff2' %}
-        {% capture hint %}<{{ href }}>; rel=preload; as=font; pr=1.0; crossorigin{% endcapture %}
+        {% capture hint %}<{{ href }}>; rel=preload; as=font; pr=1.0{% endcapture %}
         {% assign all = all | push:hint %}
       {% endif %}
     {% endfor %}
@@ -146,7 +146,7 @@ Add resource hints for docs js.
 Add resource hints for docs vendor js.
 {% endcomment %}
 {% for res in site.vendor.js %}
-  {% capture hint %}<{{ res.href }}>; rel=preload; as=script; pr=1.0; crossorigin{% endcapture %}
+  {% capture hint %}<{{ res.href }}>; rel=preload; as=script; pr=1.0{% endcapture %}
   {% assign docs = docs | push:hint %}
 {% endfor %}
 
@@ -178,7 +178,7 @@ Add link header for doc pages.
 
 {% for res in site.builds %}
 /docs/{{ res[0] }}*
-  Link: <{{ res[1].href }}>; rel=preload; as=script; pr=1.0; crossorigin
+  Link: <{{ res[1].href }}>; rel=preload; as=script; pr=1.0
 {% endfor %}
 
 {% comment %}
diff --git a/assets/js/boot.js b/assets/js/boot.js
index 8a1695d0..77a26784 100644
--- a/assets/js/boot.js
+++ b/assets/js/boot.js
@@ -9,6 +9,10 @@
   function addStyleSheet(res) {
     var link = document.createElement('link')
 
+    // Note: crossOrigin is only needed for cross-origin requests with SRI.
+    // Since vendor assets are now served from same origin (/vendor/...),
+    // this condition won't match and crossOrigin won't be set - which is correct.
+    // If loading from external CDNs again, this enables CORS for SRI verification.
     if (res.integrity &&
         res.href.slice(0, 6) === 'https:') {
       link.crossOrigin = 'anonymous'

From 56756a3d6a2f74de1896d792f47a3ab5c1d5542c Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Fri, 5 Dec 2025 17:24:25 -0500
Subject: [PATCH 2/2] remove jsdelivr hint, we dont use it at all currently

---
 _headers | 1 -
 1 file changed, 1 deletion(-)

diff --git a/_headers b/_headers
index d6f2613f..ac360983 100644
--- a/_headers
+++ b/_headers
@@ -64,7 +64,6 @@ csp:
 hints:
   all: [
     '</sw.js>; rel=serviceworker',
-    '<https://cdn.jsdelivr.net/>; rel=preconnect; pr=1.0; crossorigin',
     '<//cdn.carbonads.com/>; rel=dns-prefetch; pr=0.25',
     '<//srv.carbonads.net/>; rel=dns-prefetch; pr=0.25'
   ]